-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix copy API (docker cp
, etc) uid/gid handling
#28923
Conversation
For compatibility, probably it should be an option, e.g. |
windowsRS1 failing with many "not supported by windows" errors
|
ah ok. what's the way to gate this test so it only runs on linux?
…On Tue, Nov 29, 2016 at 12:56 AM, Akihiro Suda ***@***.***> wrote:
windowsRS1 failing with many "not supported by windows" errors
08:12:47 ----------------------------------------------------------------------
08:12:47 FAIL: docker_cli_cp_to_container_test.go:228: DockerSuite.TestCpToCaseA
08:12:47
08:12:47 docker_cli_cp_to_container_test.go:236:
08:12:47 makeTestContentInDir(c, tmpDir)
08:12:47 docker_cli_cp_utils.go:107:
08:12:47 c.Assert(os.Chown(path, fd.uid, fd.gid), checker.IsNil)
08:12:47 ... value *os.PathError = &os.PathError{Op:"chown", Path:"d:\\CI\\CI-f2356d4\\test-cp-to-case-a949295019\\file1", Err:0x20000082} ("chown d:\\CI\\CI-f2356d4\\test-cp-to-case-a949295019\\file1: not supported by windows")
08:12:47
08:12:51
08:12:51 ----------------------------------------------------------------------
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ63fYLdDR1_GMsPQJDgPu3j3K1CUKks5rC-jNgaJpZM4K-qDd>
.
|
@erikh if it requires a Linux daemon; https://github.com/docker/docker/blob/master/integration-cli/docker_api_stats_test.go#L262 If it requires the daemon and client to be linux, probably https://github.com/docker/docker/blob/master/integration-cli/docker_api_stats_test.go#L166 However, there are also some test files that are only built/run on Linux/Unix (keep in mind that work is in progress on Solaris support); https://github.com/docker/docker/blob/master/integration-cli/docker_api_stats_unix_test.go#L1 |
Hmm. actually it looks like the chmod is failing in the test setup instead
as well. I will revisit tonight.
…On Tue, Nov 29, 2016 at 1:08 AM, Sebastiaan van Stijn < ***@***.***> wrote:
@erikh <https://github.com/erikh> if it requires a Linux *daemon*;
https://github.com/docker/docker/blob/master/integration-cli/docker_api_
stats_test.go#L262
If it requires the daemon and client to be linux, probably
https://github.com/docker/docker/blob/master/integration-cli/docker_api_
stats_test.go#L166
However, there are also some test *files* that are only built/run on
Linux/Unix (keep in mind that work is in progress on Solaris support);
https://github.com/docker/docker/blob/master/integration-cli/docker_api_
stats_unix_test.go#L1
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ61g0_PN_oG_2UDvlWYDaN83SITuhks5rC-uUgaJpZM4K-qDd>
.
|
I'm working on this now, sorry for the delay. |
The cp tests are passing again on windows. PTAL? |
@thaJeztah do we have a way to force a |
hm, no doesn't seem to work indeed 😢 not sure |
FWIW, I ran the full suite myself against a user namespace-enabled daemon and all tests passed, but most importantly:
Taking 25sec to run the test seems a bit long given the steps don't seem intensive, but it is passing. Personally I'm fine with design; not sure if this needs more design review or just code review and confirmation on functionality of preserving ownership (which probably was the way it was working before user namespaces were merged in 1.9 experimental) |
That is a documented behavior in https://github.com/docker/docker/blob/master/docs/reference/commandline/cp.md so I'm not sure we can just flip it. Even if it makes more sense we should probably keep the cli behavior and change the API only. cc @jlhawn |
👍 I'm not sure what the project's official process and policy is if we were to change the default behavior, but I think it would be a good idea to do this (preserve permissions) since the stated goal of
If we do not want to change the current behavior, we could provide a Also, last year, when we added support for extracting an archive into a container, I considered adding a |
Adding |
This is the less surprising behavior to me (documented or not, broken is
broken). That said, I will do whatever you guys want. Just give me exact
details please.
…On Thu, Dec 8, 2016 at 3:32 PM, Sebastiaan van Stijn < ***@***.***> wrote:
Adding -p / --preserve-ownership doesn't sound too bad; at least it
guarantees a non-breaking change
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ64YNvH3jzhc9k7B51fSNAtjzd3v7ks5rGJOXgaJpZM4K-qDd>
.
|
Not saying I disagree, but changing behavior like this has bitten us on multiple occasions, because people start to rely on it (even if it's broken). If we do decide to change the default, we should consider adding a flag / option to restore the current behavior. |
Oh definitely re: flag to restore behavior. I completely agree.
Once you folks decide on something, I will change the PR. Happy to do it
either scenario, just expressing my opinion on the subject.
…On Mon, Dec 12, 2016 at 8:15 AM, Sebastiaan van Stijn < ***@***.***> wrote:
This is the less surprising behavior to me (documented or not, broken is
broken).
Not saying I disagree, but changing behavior like this has bitten us on
multiple occasions, because people start to rely on it (even if it's
broken). If we *do* decide to change the default, we should consider
adding a flag / option to restore the current behavior.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ6--NZjYpMbII1Pn1Bqt5KyULpJAaks5rHXMsgaJpZM4K-qDd>
.
|
Consider the linux command: chmod --reference={reference_file} {target_file} |
We were comparing behavior with a regular
Suggested;
/cc @cpuguy83 |
interesting. I can patch this in but it seems surprising (at least, I
didn't realize it merged permissions) from a behavior standpoint. Is there
any justification out there I can read? Mostly just curious.
what do you want to do about permission bits (if anything)? preserve host?
Not sure it's relevant, but might be a good time to discuss that while
we're here.
…On Thu, Dec 15, 2016 at 11:31 AM, Sebastiaan van Stijn < ***@***.***> wrote:
We were comparing behavior with a regular cp;
- cp source target uses permissions of target if target exists, and
uses permissions of the current user if the target file doesn't exist
- cp -a source target uses permissions of source if target exists, and
*also* uses permissions of the current user if the target file doesn't
exist
Suggested;
- use an --inherit-ownership flag (but open to suggestions)
- if target does *not* exist, give the file ownership of the container
user (instead of root)
- if target file *does* exist, give the file ownership of the source
file.
- add another flag (suggestions as well) to force files maintaining
ownership of the source files
/cc @cpuguy83 <https://github.com/cpuguy83>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ6ypvtPetRuBWEb1ZvROgYDVcolp7ks5rIZWogaJpZM4K-qDd>
.
|
Wouldn't the new file inherit ownership from the target file?
Open source fire hose. |
Maybe I'm misunderstanding something; are those `/bin/cp` (aka POSIX) rules
or something else?
I guess I should just look this up myself haha
…On Thu, Dec 15, 2016 at 12:34 PM, Brian Goff ***@***.***> wrote:
if target file does exist, give the file ownership of the source file.
Wouldn't the new file inherit ownership from the target file?
Is there any justification out there I can read? Mostly just curious.
Open source fire hose.
Probably something like "we want to add this!", "ok, sounds awesome!",
"woohoo docker cp is now a thing!"
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ64z0qmBLo3oK2n1nXVqBx3Dh-I0-ks5rIaRugaJpZM4K-qDd>
.
|
This is quite clear on what should be done, at least. I'll save the thread
the rest. http://pubs.opengroup.org/onlinepubs/9699919799/utilities/cp.html
…On Thu, Dec 15, 2016 at 12:36 PM, Erik Hollensbe ***@***.***> wrote:
Maybe I'm misunderstanding something; are those `/bin/cp` (aka POSIX)
rules or something else?
I guess I should just look this up myself haha
On Thu, Dec 15, 2016 at 12:34 PM, Brian Goff ***@***.***>
wrote:
> if target file does exist, give the file ownership of the source file.
>
> Wouldn't the new file inherit ownership from the target file?
>
> Is there any justification out there I can read? Mostly just curious.
>
> Open source fire hose.
> Probably something like "we want to add this!", "ok, sounds awesome!",
> "woohoo docker cp is now a thing!"
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#28923 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/AABJ64z0qmBLo3oK2n1nXVqBx3Dh-I0-ks5rIaRugaJpZM4K-qDd>
> .
>
|
no idea; if you have any suggestions or clues that'd be great. |
@erikh : Use |
I get |
That's why the test fails on powerpc and s390 as well. Download frozen images on both arch shows
|
ah ok! Will update tonight. Thanks.
…On Tue, Apr 11, 2017 at 3:29 PM Anusha Ragunathan ***@***.***> wrote:
That's probably why the test fails on powerpc and s390 as well.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28923 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AABJ6y73mw68u1gWjMEf9NPr0eM1B_Fnks5ru_7GgaJpZM4K-qDd>
.
|
This changes the long-standing bug of copy operations not preserving the UID/GID information after the files arrive to the container. Signed-off-by: Erik Hollensbe <github@hollensbe.org>
Tests are running now, I'll validate later today. |
LGTM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@thaJeztah are there any follow-on doc changes needed for the new |
Changelog needs update and I've added the label so that it gets tracked. |
Fix copy API (`docker cp`, etc) uid/gid handling
Fix copy API (`docker cp`, etc) uid/gid handling
I'm been doing some work on #34096 and wondered if (other than what is in the updated docs for
|
Closes #21651
- What I did
Adjusted the archiving UID/GID maps to not only consider root. Adjusted tests to appropriately measure permissions as well as the metadata it already carried to better enable testing with permissions crossing the border into/out of a container.
- How I did it
It's a pretty small patch. :D
- How to verify it
This aughta work:
Before, these files would be root. After, they should reflect the UID of the files on the host.
- Description for the changelog
Fixed copy protocol and
docker cp
to appropriately transfer UID/GID to files copied into the container.